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About  This  Document 


About  This  Document 


This  document  is  Volume  9  of  the  OCTAVE-S  Implementation  Guide,  a  10-volume  handbook 

supporting  the  OCTAVE-S  methodology.  This  volume  contains  worksheets  to  record  the 

organization’s  current  and  desired  protection  strategies  and  the  risk  mitigation  plans. 

The  volumes  in  this  handbook  are 

•  Volume  1:  Introduction  to  OCTAVE-S  -  This  volume  provides  a  basic  description  of 
OCTAVE-S  and  advice  on  how  to  use  the  guide. 

•  Volume  2:  Preparation  Guidelines  -  This  volume  contains  background  and  guidance  for 
preparing  to  conduct  an  OCTAVE-S  evaluation. 

•  Volume  3:  Method  Guidelines  -  This  volume  includes  detailed  guidance  for  each  OCTAVE-S 
activity. 

•  Volume  4:  Organizational  Information  Workbook  -  This  volume  provides  worksheets  for  all 
organizational-level  information  gathered  and  analyzed  during  OCTAVE-S. 

•  Volume  5:  Critical  Asset  Workbook  for  Information  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  information. 

•  Volume  6:  Critical  Asset  Workbook  for  Systems  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  systems. 

•  Volume  7:  Critical  Asset  Workbook  for  Applications  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  applications. 

•  Volume  8:  Critical  Asset  Workbook  for  People  -  This  volume  provides  worksheets  to 
document  data  related  to  critical  assets  that  are  categorized  as  people. 

•  Volume  9:  Strategy  and  Plan  Workbook  -  This  volume  provides  worksheets  to  record  the 
current  and  desired  protection  strategy  and  the  risk  mitigation  plans. 

•  Volume  10:  Example  Scenario  -  This  volume  includes  a  detailed  scenario  illustrating  a 
completed  set  of  worksheets. 
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Abstract 


Abstract 


The  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation^  (OCTAVE®) 
approach  defines  a  risk-based  strategic  assessment  and  planning  technique  for  security. 
OCTAVE  is  a  self-directed  approach,  meaning  that  people  from  an  organization  assume 
responsibility  for  setting  the  organization’s  security  strategy.  OCTAVE-S  is  a  variation  of  the 
approach  tailored  to  the  limited  means  and  unique  constraints  typically  found  in  small 
organizations  (less  than  100  people).  OCTAVE-S  is  led  by  a  small,  interdisciplinary  team 
(three  to  five  people)  of  an  organization’s  personnel  who  gather  and  analyze  information, 
producing  a  protection  strategy  and  mitigation  plans  based  on  the  organization’s  unique 
operational  security  risks.  To  conduct  OCTAVE-S  effectively,  the  team  must  have  broad 
knowledge  of  the  organization’s  business  and  security  processes,  so  it  will  be  able  to  conduct 
all  activities  by  itself. 
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Introduction 


1  Introduction 


This  document  contains  the  Operationally  Critical  Threat,  Asset,  and  VulnerabilitySM 
(OCTAVE®)-S  worksheets  related  to  the  organization’s  strategy  development  and  planning 
activities. 


Table  1  provides  a  brief  introduction  to  the  contents  of  this  workbook,  using  activity  step  numbers 
as  a  key.  For  more  details  about  how  to  complete  each  step,  refer  to  the  OCTAVE®-S  Method 
Guidelines,  which  can  be  found  in  Volume  3  of  the  OCTAVE9 -S  Implementation  Guide. 


Table  1:  Worksheets  Provided  in  This  Workbook 


Step 

Description 

Worksheet 

Activity 

Pages 

Document  notes  and 
recommendations  identified 
during  each  step. 

Notes  and 
Recommendations 

All  Phases 

All  Processes 

All  Activities 

3-12 

Document  action  items 
identified  during  each  step. 

Action  List 

All  Phases 

All  Processes 

All  Activities 

13-22 

Step  25 

Transfer  the  stoplight  status  of 
each  security  practice  area  to  the 
corresponding  area  of  the 
Protection  Strategy  worksheet. 

For  each  security  practice  area, 
identify  your  organization’s 
current  approach  for  addressing 
that  area. 

Protection 

Strategy 

Phase  3 

Process  S5 

S5.1  Describe  Current 
Protection  Strategy 

23-82 

SM  Operationally  Critical  Threat,  Asset,  and  Vulnerability  Evaluation  is  a  service  mark  of  Carnegie  Mellon 
University. 

®  OCTAVE  is  registered  in  the  United  States  Patent  and  Trademark  Office  by  Carnegie  Mellon 
University. 
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Table  1:  Worksheets  Provided  in  This  Workbook  (cont.) 


Step 

Description 

Worksheet 

Activity 

Pages 

Step  28 

Develop  mitigation  plans  for 
each  security  practice  area 
selected  during  Step  27. 

As  you  complete  this  step,  if  you 
have  difficulty  coming  up  with 
potential  mitigation  activities  for 
a  security  practice  area,  review 
examples  of  mitigation  activities 
for  that  area  in  the  Mitigation 
Activities  Guide. 

Mitigation  Plan 

Phase  3 

Process  S5 

S5.3  Develop  Risk 

Mitigation  Plans 

115-128 

Step  29 

Determine  whether  your 
mitigation  plans  affect  your 
organization’s  protection 
strategy.  Record  any  changes  on 
the  Protection  Strategy 
worksheet. 

Next,  review  the  protection 
strategy,  including  proposed 
changes.  Determine  whether  you 
intend  to  make  any  additional 
changes  to  the  protection 
strategy.  Record  any  additional 
changes  on  the  Protection 

Strategy  worksheet. 

Protection 

Strategy 

Phase  3 

Process  S5 

S5.4  Identify  Changes  to 
Protection  Strategy 

23-82 

Step  30 

Determine  what  your 
organization  must  do  to 
implement  the  results  of  this 
evaluation  and  improve  its 
security  posture. 

Next  Steps 

Phase  3 

Process  S5 

S5.5  Identify  Next  Steps 

129-132 
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Notes  and  Recommendations  Worksheet 


2  Notes  and  Recommendations  Worksheet 


Throughout 

Evaluation 

Document  notes  and  recommendations  identified  during  each  step. 
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What  notes  do  you  want  to  record? 

Is  there  a  recommendation  associated  with  this  note?  If  yes,  document  it  in  the 
corresponding  recommendations  box. 

For  which  step  is 
this  note  relevant? 

Step 

Notes  and  Recommendations  Worksheet 
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1  Note 

* 

What  notes  do  you  want  to  record? 

Is  there  a  recommendation  associated  with  this  note?  If  yes ,  document  it  in  the 
corresponding  recommendations  box. 

For  which  step  is 
this  note  relevant? 

Step 

1  Note 

What  notes  do  you  want  to  record? 

Is  there  a  recommendation  associated  with  this  note?  If  yest  document  it  in  the 
corresponding  recommendations  box. 

For  which  step  is 
this  note  relevant? 

Step 

10 


CMU/SEI-2003-HB-003  Volume  9 


Notes  and  Recommendations  Worksheet 


CMU/SEI-2003-HB-003  Volume  9 


11 


OCTAVE-S  V1.0 


OCTAVE-S  V1.0 


Action  List  Worksheet 


3  Action  List  Worksheet 


All  Phases 

All  Processes 

All  Activities 

Throughout 

Evaluation 

Document  action  items  identified  during  each  step. 
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Action  List  Worksheet 


Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item  ?  i 

Record  additional  information  below . 

Responsibility: 

Who  is  responsible  for  completing  the  action  item? 

Completion  Date: 

By  when  must  the  action  item  be  completed? 

Additional 

Support: 

What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 

Responsibility: 


Completion  Date: 


Additional 

Support: 


|  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below.  _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 
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Action  Item 


Action  Item 
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What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item. 

ID# 


What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item. 


Action  List  Worksheet 


Responsibility: 


Completion  Date: 


Additional 

Support: 


|  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item ? 

Record  additional  information  below .  _ _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 


Responsibility: 


Completion  Date: 


Additional 

Support: 


|  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below. _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 
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Action  Item 


Action  Item 
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What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item . 

ID# 


For  which  step  is 
this  action  item 
relevant? 

Step _ 


What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item. 

ID# 


For  which  step  is 
this  action  item 
relevant? 

Step _ 


Action  List  Worksheet 


Responsibility: 


Completion  Date: 


Additional 

Support: 


|  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below.  _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item  ? 


Responsibility: 


Completion  Date: 


Additional 

Support: 


I  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below.  _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 
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Action  Item 


Action  Item 
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What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item. 

ID# 


For  which  step  is 
this  action  item 
relevant? 


What  actions  do  you  intend  to  take? 

Assign  an  identification  number  to  each  action  item. 

ID# 


For  which  step  is 
this  action  item 
relevant? 


Action  List  Worksheet 


Responsibility: 


Completion  Date: 


Additional 

Support: 


I  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item  ? 

Record  additional  information  below.  _ _ _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 


Responsibility: 


Completion  Date: 


Additional 

Support: 


|  Action  Item 

What  additional  information  do  you  want  to  document  for  each  action  item? 

Record  additional  information  below. _ _ _ 

Who  is  responsible  for  completing  the  action  item? 


By  when  must  the  action  item  be  completed? 


What  additional  support  (by  management  or  others)  is  required  to  complete  the 
action  item? 
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OCTAVE-S  V 1 .0  Protection  Strategy  Worksheet 


4  Protection  Strategy  Worksheet 


Step  25 

Transfer  the  stoplight  status  of  each  security  practice  area  to  the  corresponding  area  of  the 
Protection  Strategy  worksheet. 

For  each  security  practice  area,  identify  your  organization’s  current  approach  for  addressing 
that  area. 

Step  29 

Determine  whether  your  mitigation  plans  affect  your  organization’s  protection  strategy. 

Record  any  changes  on  the  Protection  Strategy  worksheet . 

Next,  review  the  protection  strategy,  including  proposed  changes.  Determine  whether  you 
intend  to  make  any  additional  changes  to  the  protection  strategy.  Record  any  additional 
changes  on  the  Protection  Strategy  worksheet . 

CMU/SEI-2003-HB-003  Volume  9 


23 


OCTAVE-S  V1.0 


Training  Strategy 


The  organization  has  a  documented  training  strategy  that  includes  security 
awareness  training  and  security-related  training  for  supported  technologies. 

The  organization  has  an  informal  and  undocumented  training  strategy. 


Step  25  |  Step  29  fj 

a 

Current 

a 

Change 

□ 

Current 

a 

Change 

□ 

Current 

a 

Change 

Step  25:  How  often  is  security  awareness  training  provided? 

Step  29:  Will  any  mitigation  activities  change  how  often  security  awareness  training  is  provided? 

Do  you  want  to  make  any  additional  changes  to  how  often  security  awareness  training  isprovided? 


Security  Awareness  Training  _ 


Periodic  security  awareness  training  is  provided  for  all  employees  □  Current 

_ time(s)  every _ years. 

Security  awareness  training  is  provided  for  new  staff  members  as  part  of  their  □  Current 
orientation  activities. 


learn  about  security  issues  on  their  own. 


Step  25  m  Step  29 

□  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 
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Protection  Strategy  Worksheet 


1.  Security  Awareness  and  Training 


Step  25:  To  what  extent  are  IT  staff  members  required  to  attend  security-related  training? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  security-related  training  ? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  security-related  training? 


Security-Related  Training  for  Supported  Technologies 


Information  technology  staff  members  are  required  to  attend  security-related 
training  for  any  technologies  that  they  support. 

Information  technology  staff  members  can  attend  security-related  training  for 
any  technologies  that  they  support  if  they  request  it. 

The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  security-related  training  for  supported 
technologies.  Information  technology  staff  members  learn  about  security-related 
issues  on  their  own. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  is  your  organization 's  mechanism  for  providing  periodic  security  updates? 

Step  29:  Will  any  mitigation  activities  change  your  mechanism  for  providing  periodic  security  updates? 

Do  you  want  to  make  any  additional  changes  to  your  mechanism  for  providing  periodic  security  updates? 


Step  25  ^||  Step  29 


The  organization  has  a  formal  mechanism  for  providing  staff  members  with  O  Current  □  Change 

periodic  updates/bulletins  about  important  security  issues. 

The  organization  does  not  have  a  mechanism  for  providing  staff  members  with  □  Current  □  Change 

periodic  updates/bulletins  about  important  security  issues. 

_ _ □  Current  □  Change 


Periodic  Security  Updates 
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1.  Security  Awareness  and  Training 


Stoplight  Status 


Step  25:  How  formal  is  your  organization's  mechanism  for  verifying  that  staff  receives  training? 

Step  29:  Will  any  mitigation  activities  change  your  mechanism  for  verifying  that  staff  receives  training? 

•  JO  ......  _ I _ .* _ r _ fUjr C 


— — - 1 

Training  Verification  J 

|  Step  25  | 

Step  29  | 

The  organization  has  formal  mechanisms  for  tracking  and  verifying  that  staff 

□  Current 

□  Change 

members  receive  appropriate  security-related  training. 

The  organization  has  informal  mechanisms  for  tracking  and  verifying  that  staff 
members  receive  appropriate  security-related  training. 

□  Current 

□  Change 

The  organization  has  no  mechanisms  for  tracking  and  verifying  that  staff 
members  receive  appropriate  security-related  training. 

□  Current 

□  Change 

□  Current  □  Change 


Step  25:  What  additional  characteristic  of  your  current  approach  to  security  awareness  and  training  do  you  want  to 
record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic  ? 


Step  25  Step  29 


Other: 

□  Current 

□  Change 

□  Current 

□  Change 

□  Current 

□  Change 

26 
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2.  Security  Strategy 


Stoplight  Status 


|  Step  25 

| 

Step  29 

□  Current  □  Change 


Step  25:  How  formal  is  your  organization ’s  mechanism  for  integrating  security  and  business  strategies? 


Business  and  Security  Strategy  Integration 


The  organization  has  formal  mechanisms  for  integrating  □  Current 

•  security  considerations  into  business  strategies 

•  business  strategies  and  goals  into  security  strategies  and  _ _ _ _ 

The  organization  has  informal  mechanisms  for  integrating  Cl  Current  □  C  g 

•  security  considerations  into  business  strategies 

•  business  strategies  and  goals  into  security  strategies  and  policies _ 

The  organization  has  no  mechanisms  for  integrating  ^ 

•  security  considerations  into  business  strategies 

•  business  strategies  and  goals  into  security  strategies  and  policies  _ 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  are  your  organization 's  security  strategies,  goals,  and  objectives? 

Step  29  ■  Will  any  mitigation  activities  change  your  security  strategies,  goals,  and  objective^ . 

Step  29.  ™ay^nt £  ^  ^  aMlional  changes  to  your  security  strategies,  goals,  andob^cuv^ 


Documented  Strategies  I  — 

The  organization  has  documented  security  strategies,  goals,  and  objectives.  □  Current _ □ _ g _ 

'moTg^iza^nhTs  a  partial  set  of  documented  security r  strategies,  goals,  and  □  Current  □  Change 

objectives.  Some  aspects  of  security  strategies,  goals,  and  objectives  are  informal 

and  undocumented.  _ _ _ _ _ 

m  organization  has  informal  and  undocumented  security  strategies,  goals,  and  □  Current  □  Change 

objectives.  _ _ — _ _ _ - _ 

_  -  _ a  Current  □  Change 


Protection  Strategy  Worksheet 


Staff  Awareness 


The  organization’s  security  awareness  training  program  includes  information 
about  the  organization’s  security  strategy.  This  training  is  provided  for  all 
employees _ time(s)  every _ years. 

The  organization’s  security  awareness  training  program  includes  information 
about  the  organization’s  security  strategy.  This  training  is  provided  for  new  staff 
members  as  part  of  their  orientation  activities. 

The  organization’s  security  awareness  training  program  does  not  include 
information  about  the  organization’s  security  strategy.  Staff  members  learn  about 
the  organization’s  security  strategy  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  What  additional  characteristic  of  your  current  approach  to  security  strategy  do  you  want  to  record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic  ? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic?  _ 


Step  25  m  Step  29 


□  Current  □  Change 

□  Current  □  Change 

□  Current  □  Change 


Other: 
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3.  Security  Management 


Stoplight  Status 


Step  25:  To  what  extent  are  security  roles  and  responsibilities  formally  defined? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  security  roles  and  responsibilities  are  formally  defined? 


Roles  and  Responsibilities 


PPPBPI 

Step  25 

■ 

Step  29 

The  organization  has  formally  documented  information  security  roles  and 
responsibilities  for  all  staff  in  the  organization. 


□  Current  □  Change 


The  organization  has  formally  documented  information  security  roles  and 
responsibilities  for  selected  staff  in  the  organization. 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  information  security  roles  and  □  Current  Q  Change 
responsibilities. 


□  Current  □  Change 


Step  25:  To  what  extent  is  security  formally  factored  into  your  organization 's  budget? 

Step  29:  Will  any  mitigation  activities  change  how  security  is  formally  factored  into  your  organization 's  budget? 


Funding 


P— 

Step  25 

■ 

Step  29 

The  organization’s  budget  has  a  distinct  line  item  for  information  security  □  Current  □  Change 

activities.  The  funding  level  is  determined  based  on  a  formal  assessment  of  the 

organization’s  information  security  risks.  _ 


The  organization’s  budget  has  a  distinct  line  item  for  information  security  □  Current  □  Change 

activities.  The  funding  level  is  determined  using  informal  processes. 


The  organization’s  budget  explicitly  includes  information  security  activities  □  Current  □  Change 

under  the  line  item  for  information  technology  (IT).  The  funding  level  is 
determined  based  on  a  formal  assessment  of  the  organization’s  information 


security  risks.  _ _ 

The  organization’s  budget  explicitly  includes  information  security  activities  □  Current  □  Change 

under  the  line  item  for  information  technology.  The  funding  level  is  determined 
using  informal  processes. 

Neither  the  organization’s  budget  nor  the  IT  department’s  budget  explicitly  □  Current  □  Change 

includes  funding  for  information  security  activities. 

_  □  Current  □  Change 
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Protection  Strategy  Worksheet 


3.  Security  Management 


Step  25:  How  formal  are  your  organization’s  security-related  human  resource  procedures? 

Step  29:  Will  any  mitigation  activities  change  your  security-related  human  resource  procedures? 


Human  Resource  Procedures 


■H 

Step  25 

■ 

Step  29 

The  organization  has  formally  defined  procedures  for  including  security 
considerations  in  the  organization’s  hiring  (e.g.,  background  checks)  and 
termination  (e.g.,  removing  access  to  all  systems  and  information)  processes. 


□  Current  □  Change 


The  organization  has  some  formally  defined  procedures  for  including  security 
considerations  in  the  organization’s  hiring  (e.g.,  background  checks)  and 
termination  (e.g.,  removing  access  to  all  systems  and  information)  processes. 
Some  procedures  in  this  area  are  informal  and  undocumented. 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  procedures  for  including 
security  considerations  in  the  organization’s  hiring  (e.g.,  background  checks)  and 
termination  (e.g.,  removing  access  to  all  systems  and  information)  processes. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  is  your  organization  *s  process  for  managing  information  security  risk? 


The  organization  has  a  formally  defined  process  for  assessing  and  managing  its  □  Current  □  Change 
information  security  risks. 


The  organization  has  a  formally  defined  process  for  assessing  its  information  □  Current  □  Change 
security  risks.  The  process  for  managing  information  security  risks  is  informal 
and  undocumented. 


The  organization  has  an  informal  and  undocumented  approach  for  assessing  and  □  Current  □  Change 

managing  its  information  security  risks. 

_ _  □  Current  □  Change 
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3.  Security  Management 


Stoplight  Status 


Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  the  organization  s 
security  management  process? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  security 
management  information?  .  . 

u  .  .  .  i  .  .  ^  / _ _ —Mi  t  m  ininn  / 


Staff  Awareness 


1  1 

Step  25 

■ 

Step  29 

The  organization’s  security-awareness  training  program  includes  information  □  Current  □  Change 
about  the  organization’s  security  management  process.  This  training  is  provided 

for  all  employees _ time(s)  every - years.  _ _ 


The  organization’s  security-awareness  training  program  includes  information  □  Current  □  Change 
about  the  organization’s  security  management  process.  This  training  is  provided 
for  new  staff  members  as  part  of  their  orientation  activities. 


The  organization’s  security-awareness  training  program  does  not  include 
information  about  the  organization’s  security  management  process.  Staff 
members  learn  about  security  management  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  is  your  organization 's  mechanism  for  providing  managers  with  security-related  information  ? 


Step  29-  Will  any  mitigation  activities  change  how  security-related  information  is  provided  to  managers? 

'  J  °  . .  » _ _ J  tn  n 


Management  Awareness 


Step  25 

Step  29 

The  organization  has  a  formal  mechanism  for  providing  managers  with  □  Current  □  Change 

summaries  of  important  security-related  information.  _ _ _ 


The  organization  has  an  informal  and  undocumented  mechanism  for  providing 
managers  with  summaries  of  important  security-related  information. 

a 

Current 

a 

Change 

The  organization  has  no  mechanism  for  providing  managers  with  summaries  of 
important  security-related  information. 

□ 

Current 

a 

Change 

a 

Current 

□ 

Change 
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Protection  Strategy  Worksheet 


3.  Security  Management 

Step  25:  What  additional  characteristic  of  your  current  approach  to  security ?  management  do  you  want  to  record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic?  _ 


Step  25  m  Step  29 


□  Current  □  Change 


□  Current  □  Change 

□  Current  □  Change 


Other: 
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4.  Security  Policies  and  Regulations 


Stoplight  Status 


Step  25:  To  what  extent  are  your  organization 's  security-related  policies  formally  documented? 

Step  29  ■  Will  any  mitigation  activities  change  the  extent  to  which  your  security-related  policies  are  formally  documented?  __ 
Do  youwant  to  make  any  additional  changes  to  theformality  and  documentation  of  your  security- re  la  ted  policies. 


Documented  Policies 


Step  25 


Step  29 


The  organization  has  a  comprehensive  set  of  formally  documented  security-  □  Current  □  Change 


The  organization  has  a  partial  set  of  formally  documented  security-related 
policies.  Some  security-related  policies  are  informal  and  undocumented. 

a 

Current 

□ 

Change 

The  organization’s  security-related  policies  are  informal  and  undocumented. 

□ 

Current 

a 

Change 

□ 

Current 

□ 

Change 

Step  25:  How  formal  is  your  organization 's  mechanism  for  creating  and  updating  its  security-related  policies? 


Step  29 ■  Will  any  mitigation  activities  change  how  security-related  policies  are  created  and  updated? 

r»„  . .  „„„  nMhinnnl  changes  to  how  securitv-related  policies  are  created  and  updated' 


Policy  Management 


ilH^H 

Step  25 

■ 

Step  29 

The  organization  has  a  formal  mechanism  for  creating  and  updating  its  security-  □  Current  □  Change 


related  policies.  _ _ _ 

The  organization  has  a  formal  mechanism  for  creating  its  security-related  □  Current  □  Change 

policies.  The  organization  has  an  informal  and  undocumented  mechanism  for 

updating  its  security-related  policies.  _ 

The  organization  has  an  informal  and  undocumented  mechanism  for  creating  and  □  Current  □  Change 

updating  its  security-related  policies.  _ 

_  □  Current  □  Change 


Protection  Strategy  Worksheet 


4.  Security  Policies  and  Regulations 

Step  25:  How  formal  are  your  organization ’s  procedures  for  enforcing  its  security-related  policies  ? 

Step  29:  Will  any  mitigation  activities  change  how  security-related  policies  are  enforced? 

Do  you  want  to  make  any  additional  changes  to  how  security-related  policies  are  enforced ? 


Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  the  organization ’s 
security  policies  and  regulations? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  security  policy  and 
regulation  information? 

Do  you  want  to  make  any  additional  changes  to  the  content  of  your  security  awareness  training  ? 


Staff  Awareness 


The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  security  policies  and  regulations.  This  training  is 
provided  for  all  employees _ time(s)  every _ years. 

The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  security  policies  and  regulations.  This  training  is 
provided  for  new  staff  members  as  part  of  their  orientation  activities. 

The  organization’s  security-awareness  training  program  does  not  include 
information  about  the  organization’s  security  policies  and  regulations.  Staff 
members  learn  about  security  policies  and  regulations  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 
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4.  Security  Policies  and  Regulations 


Stoplight  Status  _ j 


Step  25:  How  formal  are  your  organization 's  procedures  for  complying  with  security-related  policies  and  regulations? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  complies  with  security-related  policies  and 

Doyouwant  to  make  any  additional  changes  to  how  your  organization  complies  with  security-related  policies  and 
regulations?  _ 


Policy  and  Regulation  Compliance _ 


The  organization  has  formal  procedures  for  complying  with  information  security  □  Current  □  Change 

policies,  applicable  laws  and  regulations,  and  insurance  requirements. 

The  organization  has  formal  procedures  for  complying  with  certain  information  □  Current  □  Change 

security  policies,  applicable  laws  and  regulations,  and  insurance  requirements. 

Some  procedures  in  this  area  are  informal  and  undocumented. 

The  organization  has  informal  and  undocumented  procedures  for  complying  with  □  Current  □  Change 

information  security  policies,  applicable  laws  and  regulations,  and  insurance 

requirements.  _ 


Step  25:  What  additional  characteristic  of  your  current  approach  to  security  policies  and  regulations  do  you  want  to 


record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic? 


•  Protection  Strategy  Worksheet 
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5.  Collaborative  Security  Management 


Stoplight  Status 


Step  25:  How  formal  are  your  organization ’s  policies  and  procedures  for  protecting  infonnation  when  working  with 
collaborators  and  partners? 

Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 

collaborators  and  partners?  .  , 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 

working  with  collaborators  and  partners? 


Collaborators  and  Partners 


[PI— 

Step  25 

■ 

Step  29 

The  organization  has  documented  policies  and  procedures  for  protecting 
information  when  working  with  collaborators  and  partners. 


□  Current  □  Change 


The  organization  has  documented  policies  and  procedures  for  protecting  certain  Q  Current 
information  when  working  with  collaborators  and  partners.  The  organization  has 
informal  and  undocumented  policies  and  procedures  for  protecting  other  types  of 
information  when  working  with  collaborators  and  partners. 


□  Change 


The  organization  has  informal  and  undocumented  policies  and  procedures  for 
protecting  information  when  working  with  collaborators  and  partners. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  How  formal  are  your  organization’s  policies  and  procedures  for  protecting  information  when  working  with 
contractors  and  subcontractors  ? 


Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 

contractors  and  subcontractors?  .  .  .  , 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 

working  with  contractors  and  subcontractors ? 


Contractors  and  Subcontractors 


■HHI 

Step  25 

■ 

Step  29 

The  organization  has  documented  policies  and  procedures  for  protecting  □  Current  □  Change 

information  when  working  with  contractors  and  subcontractors.  _ 


The  organization  has  documented  policies  and  procedures  for  protecting  certain  □  Current  □  Change 
information  when  working  with  contractors  and  subcontractors.  The  organization 
has  informal  and  undocumented  policies  and  procedures  for  protecting  other 


types  of  information  when  working  with  contractors  and  subcontractors. 

The  organization  has  informal  and  undocumented  policies  and  procedures  for  □  Current  □  Change 
protecting  information  when  working  with  contractors  and  subcontractors.  _ __ 

_  □  Current  □  Change 
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Protection  Strategy  Worksheet 


5.  Collaborative  Security  Management 

Step  25:  How  formal  are  your  organization 's  policies  and  procedures  for  protecting  information  when  working  with  service 
providers  ? 

Step  29:  Will  any  mitigation  activities  change  the  policies  and  procedures  for  protecting  information  when  working  with 
service  providers? 

Do  you  want  to  make  any  additional  changes  to  the  policies  and  procedures  for  protecting  information  when 
working  with  service  providers?  _ 


Step  25  I j  Step  29 


The  organization  has  documented  policies  and  procedures  for  protecting  □  Current  □  Change 

information  when  working  with  service  providers. 

The  organization  has  documented  policies  and  procedures  for  protecting  certain  □  Current  □  Change 

information  when  working  with  service  providers.  The  organization  has  informal 
and  undocumented  policies  and  procedures  for  protecting  other  types  of 
information  when  working  with  service  providers. 

The  organization  has  informal  and  undocumented  policies  and  procedures  for  □  Current  □  Change 

protecting  information  when  working  with  service  providers. 

_ __ _  .  □  Current  □  Change 


Service  Providers 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  information  protection  requirements  to  third 
parties? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  information  protection  requirements 
to  third  parties? 

Do  you  want  to  make  any  additional  changes  to  how  your  organization  communicates  its  information  protection 
requirements  to  third  parties? 


Requirements 


The  organization  documents  information  protection  requirements  and  explicitly  □  Current  □  Change 

communicates  them  to  all  appropriate  third  parties. 

The  organization  informally  communicates  information  protection  requirements  □  Current  □  Change 

to  all  appropriate  third  parties. 

The  organization  does  not  communicate  information  protection  requirements  to  □  Current  □  Change 

third  parties. 

_ □  Current  □  Change 
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5.  Collaborative  Security  Management 


Stoplight  Status  Q  _ j 


Step  25:  To  what  extent  does  your  organization  verify  that  third  parties  are  addressing  information  protection 
requirements? 

Step  29:  Will  any  mitigation  activities  change  verification  mechanisms ? 

Do  you  want  to  make  any  additional  changes  to  verification  mechanisms? 


Verification 


The  organization  has  formal  mechanisms  for  verifying  that  all  third-party 
organizations,  outsourced  security  services,  mechanisms,  and  technologies  meet 
its  needs  and  requirements.  _ ______ 

The  organization  has  informal  mechanisms  for  verifying  that  all  third-party 
organizations,  outsourced  security  services,  mechanisms,  and  technologies  meet 
its  needs  and  requirements. _ 

The  organization  has  no  mechanisms  for  verifying  that  all  third-party 
organizations,  outsourced  security  services,  mechanisms,  and  technologies  meet 
its  needs  and  requirements.  _ _ 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  collaborative  security 
management? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  information  about 

collaborative  security  management?  ,  . 

Do  you  want  to  make  any  additional  changes  to  the  content  of  your  security  awareness  training. 


Staff  Awareness  _ _ 


The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  collaborative  security  management  policies  and 

procedures.  This  training  is  provided  for  all  employees - time(s)  every 

_ years.  _ _ 

The  organization’s  security-awareness  training  program  includes  information 
about  the  organization’s  collaborative  security  management  policies  and 
procedures.  This  training  is  provided  for  new  staff  members  as  part  of  their 
orientation  activities.  _ 

The  organization’s  security-awareness  training  program  does  not  include 
information  about  the  organization’s  collaborative  security  management  policies 
and  procedures.  Staff  members  learn  about  collaborative  security  management 
policies  and  procedures  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 
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Protection  Strategy  Worksheet 


5.  Collaborative  Security  Management 

Step  25:  What  additional  characteristic  of  your  current  approach  to  collaborative  security  management  do  you  want  to 
record? 

Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

Do  you  want  to  make  any  additional  changes  to  this  characteristic?  _ 


Step  25  H  Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Other: 
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6.  Contingency  Planning/Disaster  Recovery  Stoplight  Status  |  | 

Step  25:  To  what  extent  has  an  analysis  of  operations,  applications,  and  data  criticality  been  performed? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  business  operations  are  analyzed? 

Do  you  want  to  make  any  additional  changes  to  business  operations  analysis?  _ 


Business  Operations  Analysis 


A  partial  analysis  of  operations,  applications,  and  data  criticality  has  been 
performed. 

An  analysis  of  operations,  applications,  and  data  criticality  has  not  been 
performed. 


1  Step  25  m  Step  29  ^ 

□ 

Current 

a 

Change 

□ 

Current 

□ 

Change 

a 

Current 

□ 

Change 

a 

Current 

a 

Change 

Step  25:  To  what  extent  has  your  organization  documented  its  contingency  plans? 

Step  29:  Will  any  mitigation  activities  change  how  contingency  plans  are  documented? 

Do  you  want  to  make  any  additional  changes  to  contingency  plan  documentation  ? 


Documented  Plans  _ _ 


The  organization  has  documented  business  continuity  or  emergency  operation 
plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for  responding  to 
emergencies. 

The  organization  has  partially  documented  business  continuity  or  emergency 
operation  plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for 
responding  to  emergencies.  Some  aspects  of  the  plans  are  informal  and 
undocumented. 


□  Current  □  Change 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  business  continuity  or  □  Current  □  Change 

emergency  operation  plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for 
responding  to  emergencies. 

_ _  □  Current  □  Change 
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6.  Contingency  Planning/Disaster  Recovery 


Step  25:  To  what  extent  has  your  organization  tested  its  contingency  plans  ? 

Step  29:  Will  any  mitigation  activities  change  how  contingency  plans  are  tested? 


Tested  Plans _ 

The  organization  has  formally  tested  its  business  continuity  or  emergency 
operation  plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for 
responding  to  emergencies. 

The  organization  has  informally  tested  its  business  continuity  or  emergency 
operation  plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for 
responding  to  emergencies. 


Step  25 

■ 

Step  29 

□  Current  □  Change 


□  Current  □  Change 


The  organization  has  not  tested  its  business  continuity  or  emergency  operation 
plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for  responding  to 
emergencies. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  is  physical  and  electronic  access  to  critical  information  formally  factored  into  contingency  plans? 


Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  information  access  is  formally  factored  into  contingency 


plans? 

Do  you  want  to  make  any  additional  changes  to  how  information  access  is  formally  factored  into  contingency 
plans? 


Information  Access 


Step  25 

■ 

Step  29 

Physical  and  electronic  access  to  critical  information  is  formally  factored  into  the  □  Current  □  Change 
organization’s  contingency,  disaster  recovery,  and  business  continuity  plans. 


Physical  and  electronic  access  to  some  critical  information  is  formally  factored  □  Current  □  Change 

into  the  organization’s  contingency,  disaster  recovery,  and  business  continuity 
plans.  Other  types  of  critical  information  are  not  formally  factored  into  the  plans. 

Physical  and  electronic  access  to  critical  information  is  not  formally  factored  into  □  Current  □  Change 

the  organization’s  contingency,  disaster  recovery,  and  business  continuity  plans. 


□  Current  □  Change 
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6.  Contingency  Planning/Disaster  Recovery 


Stoplight  Status 


Step  25:  To  what  extent  does  your  security-awareness  training  program  include  information  about  contingency  planning 
and  disaster  recovery? 

Step  29:  Will  any  mitigation  activities  change  the  content  of  your  security  awareness  training  to  include  information  about 

contingency  planning  and  disaster  recovery?  .  , 


Staff  Awareness 


Mm 

Step  25 

■ 

Step  29 

The  organization’s  security-awareness  training  program  includes  information  □  Current  □  Change 
about  the  organization’s  contingency,  disaster  recovery,  and  business  continuity 

plans.  This  training  is  provided  for  all  employees - time(s)  every 

_ years. 


The  organization’s  security-awareness  training  program  includes  information  □  Current  □  Change 
about  the  organization’s  contingency,  disaster  recovery,  and  business  continuity 
plans.  This  training  is  provided  for  new  staff  members  as  part  of  their  orientation 
activities. 


The  organization’s  security-awareness  training  program  does  not  include  □  Current  □  Change 

information  about  the  organization’s  contingency,  disaster  recovery,  and  business 
continuity  plans.  Staff  members  learn  about  contingency,  disaster  recovery,  and 
business  continuity  plans  on  their  own. 


□  Current  □  Change 


Step  25:  What  additional  characteristic  of  your  current  approach  to  contingency  planning  and  disaster  recovery  do  you 
want  to  record? 


Step  29:  Will  any  mitigation  activities  change  this  characteristic? 

n  >  _ _ I  _ _  /  «L|«  Vt  ft 


Other: 


ipw 

Step  25 

■ 

Step  29 

□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 
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7.  Physical  Access  Control  °P 

Step  25:  Who  is  currently  responsible  for  physical  access  control? 

Step  29  •  Will  any  mitigation  activities  change  responsibility  for  physical  access  control? 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  physical  access.  control? 


Stoplight  Status 


Responsibility 


□  Current  □  Change 


E  |  |  g  g 

=  w  6  <5  w 

Task  - - - - - 

Controlling  physical  access  to  the  building  and  premises  (e.g.,  controlling  Q  Q  O  Q  Q  Q 
visitor  access)  _ _ 

Controlling  physical  access  to  work  areas  (e.g.,  controlling  staff  and  visitor  □□□□□□ 
access)  _  _ 


Controlling  physical  access  to  IT  hardware 
Controlling  physical  access  to  software  media 


q  a  q  q  □  □ 


□  □ 

□ 

V 

□ 

a  □ 

□  □  □ 

a  a 

a  □  a 

□  □ 

a  □  a 

□  a 

□  □  □ 

□  a 

a  a  □ 

□  a 

□  a  a 
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Combined 


Protection  Strategy  Worksheet 


7.  Physical  Access  Control 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 


Procedures 


Step  25 

■ 

Step  29 

If  staff from  your  organization  is  partly  or  completely  responsible  for  this  area: 


The  organization  has  formally  documented  plans  and  procedures  for 
controlling  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 


□  Current  □  Change 


The  organization  has  some  formally  documented  policies  and  procedures  for 
controlling  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media.  Some  policies  and  procedures  in  this  area  are 
informal  and  undocumented. 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  plans  and  procedures  for 
controlling  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area? 


Step  25  Step  29 


If  staff from  your  organization  is  partly  or  completely  responsible  for  this  area: 

Designated  staff  members  are  required  to  attend  training  that  includes  a  O  Current  □  Change 

review  of  the  organization’s  plans  and  procedures  for  physical  access  control. 

Designated  staff  members  can  attend  training  that  includes  a  review  of  the  □  Current  □  Change 

organization’s  plans  and  procedures  for  physical  access  control  if  they  request 

it. 

The  organization  generally  does  not  provide  opportunities  for  designated  staff  □  Current  □  Change 

members  to  attend  training  that  includes  a  review  of  the  organization’s  plans 
and  procedures  for  physical  access  control.  Designated  staff  members  learn 
about  physical  access  control  on  their  own. 

_ □  Current  □  Change 


Training 
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Stoplight  Status 


Step  25 


Step  29 


7.  Physical  Access  Control  t0P  us  1 _ 

Third  Party  A: _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  part}’? 

Step  29 ■  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements ■  to  this  third  party' 


Collaborative  Issues _ _ _ _ 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: _ _ _ 

The  organization’s  requirements  for  physical  access  control  are  formally  □  Current  □  Change 

communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 

media.  _ _ 

The  organization’s  requirements  for  physical  access  control  are  informally  Q  Current  O  Chan 

communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 

media.  _ _ 

The  organization’s  requirements  for  physical  access  control  are  not  Q  Current  ^  Char 

communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met. 


Verification 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area: _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  physical  access  control. 


The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  physical  access  control. 


□  Current  □  Change 


The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  physical  access  control.  _ 

_ _  □  Current  □  Change 
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Protection  Strategy  Worksheet 


7.  Physical  Access  Control 


Third  Party  B:. 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 


Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 


Collaborative  Issues 


HbHMI 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization’s  requirements  for  physical  access  control  are  formally  Q  Current  □  Change 

communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


The  organization’s  requirements  for  physical  access  control  are  informally  □  Current  □  Change 
communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


The  organization’s  requirements  for  physical  access  control  are  not  O  Current  □  Change 

communicated  to  all  contractors  and  service  providers  that  control  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 


Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

r,  .  .  I  _ _ I  J.'i.1 _ I  _  I _ _  ^  xi'Ai  n  vn  ly/tinn 


Verification 


■H 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  physical  access  control. 


The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 
have  met  the  requirements  for  physical  access  control. 


The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  physical  access  control. 


□  Current  □  Change 
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8.  Monitoring  and  Auditing  Physical  Security  Stoplight  Status  _ 

Step  25:  Who  is  currently  responsible  for  monitoring  and  auditing  physical  security? 

Step  29- Will  any  mitigation  activities  change  responsibility  for  monitoring  and  auditing  physical  security? 

Do  you  want  to  make  any  additional  changes  feting  responsibility  for  monitoring  and  auditing  physicaUecunty . 


Responsibility 


Step  25 


Step  29 


□  Current  □  Change 


g  .5  *c3 

ill 

w  6  £ 


Keeping  maintenance  records  to  document  repairs  and  modifications  to  IT  □  □  □  □ 
hardware  _ _ _ 

Monitoring  physical  access  to  controlled  IT  hardware  □  □  □  □ 

Monitoring  physical  access  to  controlled  IT  software  media  □  □  □  □ 

Monitoring  physical  access  to  restricted  work  areas  □  □  □  □ 

Reviewing  monitoring  records  on  a  periodic  basis  □  □  □  □ 

Investigating  and  addressing  any  unusual  activity  that  is  identified  □  □  □  □ 


Cd  £ 

E 

£  E 

*  o 

W  U 

□  □ 


a 

a 

a 

a 

□ 

a 

□ 

a 

□ 

□ 

a 

a 

a 

□ 

a 

a 

□ 

a 

a 

a 

□ 

a 

□ 

a 

□ 

a 

a 

a 

□ 

□ 

□ 

a 

□ 

a 

a 

a 

a 

□ 

□ 

a 

□ 

a 

a 

□ 

□ 

a 

□ 

a 

a 

a 

a 

a 

□ 

□ 

Protection  Strategy  Worksheet 


8.  Monitoring  and  Auditing  Physical  Security 

Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area  ? 

Do  you  want  to  make  any  additional  changes  to  how  procedures  are  documented  for  this  area? 


Procedures 


Step  25 


Step  29 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

The  organization  has  formally  documented  plans  and  procedures  for 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 


□  Current  □  Change 


The  organization  has  some  formally  documented  policies  and  procedures  for  Q  Current  □  Change 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media.  Some  policies  and  procedures  in  this  area  are 
informal  and  undocumented. 


The  organization  has  informal  and  undocumented  plans  and  procedures  for 
monitoring  physical  access  to  the  building  and  premises,  work  areas,  IT 
hardware,  and  software  media. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area? 


Training 


If  staff from  your  organization  is  partly  or  completely  responsible  for  this  area: 

Designated  staff  members  are  required  to  attend  training  for  monitoring  □  Current  □  Change 

physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 


Designated  staff  members  can  attend  training  for  monitoring  physical  access  □  Current  □  Change 

to  the  building  and  premises,  work  areas,  IT  hardware,  and  software  media  if 
they  request  it. 

The  organization  generally  does  not  provide  opportunities  for  designated  staff  □  Current  □  Change 

members  to  attend  training  for  monitoring  physical  access  to  the  building  and 
premises,  work  areas,  IT  hardware,  and  software  media.  Designated  staff 
members  learn  about  monitoring  physical  access  on  their  own. 


_ _ _  □  Current  □  Change 
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8.  Monitoring  and  Auditing  Physical  Security  Stoplight  Status  _ 

Third  Party  A:. - — - - - 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party. 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party.  _ 


Collaborative  Issues  _ 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: _ _ _ _ _ 

The  organization’s  requirements  for  monitoring  physical  security  are  formally  □  Current  Q  Change 

communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 

media.  _ 

The  organization’s  requirements  for  monitoring  physical  security  are  □  Current  □  Change 

informally  communicated  to  all  contractors  and  service  providers  that  monitor 
physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 


The  organization’s  requirements  for  monitoring  physical  security  are  not 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29  •  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 
Do  you  want  to  make  any  additional  changes  to  howyouverify  that  requirements  are  being  met? 


Verification 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area _ _ _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  physical  security. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  monitoring  physical  security.  _ _ 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  physical  security. 

_ □  Current  □  Change 
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8.  Monitoring  and  Auditing  Physical  Security 


Third  Party  B: _ — - 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 
Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 


Collaborative  Issues 


Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization’s  requirements  for  monitoring  physical  security  are  formally  □  Current  □  Change 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


The  organization’s  requirements  for  monitoring  physical  security  are  □  Current  □  Change 

informally  communicated  to  all  contractors  and  service  providers  that  monitor 
physical  access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 


The  organization’s  requirements  for  monitoring  physical  security  are  not 
communicated  to  all  contractors  and  service  providers  that  monitor  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 


Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 


Verification 


■■■ 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  monitoring  physical  security. 


The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 
have  met  the  requirements  for  monitoring  physical  security. 


The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  monitoring  physical  security. 


□  Current  □  Change 
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Stoplight  Status 


9.  System  and  Network  Management  op  lg  u 

Step  25:  Who  is  currently  responsible  for  system  and  network  management? 

Step  29'  Will  any  mitigation  activities  change  responsibility  for  system  and  network  management? 

Do  you  want  to  make  any  additional  changes affecting  responsibility  for  system  and  network  management 


Responsibility 


□  Current  □  Change 


E  E 

S3  B 

C  rxl 


Task  _ 

Configuring  IT  hardware  and  software 


□  □  □  □  □  □ 


Securely  storing  sensitive  information  (e.g.,  backups  stored  off  site,  process  O  □  Q  Q  Q  Q 
for  discarding  sensitive  information)  _ _ 


Checking  the  integrity  of  installed  software 

Keeping  systems  up  to  date  with  respect  to  revisions,  patches,  and 
recommendations  in  security  advisories 

Making  and  tracking  changes  to  IT  hardware  and  software 

Managing  passwords,  accounts,  and  privileges 

Selecting  system  and  network  management  tools 


□  □□□□□ 
□  □□□□□ 

□  □□□□□ 
a  □  a  a  □  □ 


a 

□ 

□ 

□ 

□  . 

a 

□ 

a 

a 

a 

□ 

□ 

a 

a 

a 

a 
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Combined 


Protection  Strategy  Worksheet 


9.  System  and  Network  Management 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 


Procedures 


Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


The  organization  has  formally  documented  system  and  network  management  □  Current  □  Change 
procedures. 


The  organization  has  some  formally  documented  system  and  network 
management  procedures.  Some  procedures  in  this  area  are  informal  and 
undocumented. 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  system  and  network 
management  procedures. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area  ? 


Training 


ippwMW 

Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


Information  technology  staff  members  are  required  to  attend  training  for  □  Current  □  Change 

managing  systems  and  networks  and  using  system  and  network  management 

tools. 


Information  technology  staff  members  can  attend  training  for  managing 
systems  and  networks  and  using  system  and  network  management  tools  if 
they  request  it. 


□  Current  □  Change 


The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  training  for  managing  systems  and 
networks  and  using  system  and  network  management  tools.  Information 
technology  staff  members  learn  about  system  and  network  management  on 
their  own. 


□  Current  □  Change 


□  Current  □  Change 
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Stoplight  Status 


9.  System  and  Network  Management  Stoplight  Status 

Third  Party  A:. _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues  _ _ 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: ^ 

The  organization’s  security-related  system  and  network  management 
requirements  are  formally  communicated  to  all  contractors  and  service 
providers  that  maintain  systems  and  networks. 

The  organization’s  security-related  system  and  network  management 
requirements  are  informally  communicated  to  all  contractors  and  service 
providers  that  maintain  systems  and  networks. 

The  organization’s  security-related  system  and  network  management 
requirements  are  not  communicated  to  all  contractors  and  service  providers 
that  maintain  systems  and  networks. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  an  being  met? 


Verification 


Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area: _ _ _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  security-related  system  and  network  management. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  security-related  system  and  network 


management. 


The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  security-related  system  and  network  management. 


□  Current  □  Change 


□  Current  □  Change 
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Protection  Strategy  Worksheet 


9.  System  and  Network  Management 

Third  Party  B: _ _ _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues  _ 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  security-related  system  and  network  management 
requirements  are  formally  communicated  to  all  contractors  and  service 
providers  that  maintain  systems  and  networks. 

The  organization’s  security-related  system  and  network  management 
requirements  are  informally  communicated  to  all  contractors  and  service 
providers  that  maintain  systems  and  networks. 

The  organization’s  security-related  system  and  network  management 
requirements  are  not  communicated  to  all  contractors  and  service  providers 
that  maintain  systems  and  networks. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Verification  _ 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area:  _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  security-related  system  and  network  management. 


The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  security-related  system  and  network 
management. 

The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  security-related  system  and  network  management. 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 
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10.  Monitoring  and  Auditing  IT  Security 


Stoplight  Status 


Step  25:  Who  is  currently  responsible  for  monitoring  and  auditing  IT  security? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  monitoring  and  auditing  IT  security? 

I  *  •  .  ii  rr  .• _ _ _ -  „ L ■  fnr  m/iMi’fnrrno  nnn  nil fl  1 


_ 1 

Step  25 

Step  29 

□ 

Current 

□ 

Change 

T3 

T3 

E 

4) 

15 

c 

<D 

<L> 

e 

3 

E 

15 

E 

<L> 

13 

E 

B 

<D 

£ 

‘J5 

E 

o 

C 

X 

m 

U 

c 

w 

U 

Using  system  and  network  monitoring  tools  to  track  system  and  network 
activity 

□ 

□ 

□ 

a 

a 

□ 

Auditing  the  firewall  and  other  security  components  periodically  for 
compliance  with  policy 

a 

□ 

a 

□ 

□ 

a 

Investigating  and  addressing  any  unusual  activity  that  is  identified 

a 

□ 

a 

a 

a 

a 

a 

a 

a 

a 

□ 

a 

□ 

□ 

□ 

a 

□ 

□ 

a 

a 

a 

□ 

a 

□ 

a 

□ 

□ 

a 

□ 

□ 

a 

□ 

□ 

a 

□ 

□ 

□ 

a 

a 

a 

a 

a 

a 

□ 

a 

a 

a 

a 
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Protection  Strategy  Worksheet 


10.  Monitoring  and  Auditing  IT  Security 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented  ? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 


Procedures 


Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


The  organization  has  formally  documented  procedures  for  monitoring 
network-based  access  to  systems  and  networks. 

□ 

Current 

a 

Change 

The  organization  has  some  formally  documented  procedures  for  monitoring 
network-based  access  to  systems  and  networks.  Some  procedures  in  this  area 

□ 

Current 

a 

Change 

are  informal  and  undocumented. 

The  organization  has  informal  and  undocumented  procedures  for  monitoring 
network-based  access  to  systems  and  networks. 

a 

Current 

□ 

Change 

a 

Current 

a 

Change 

__ 

— 

Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area ? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 


Training 


hIHH 

Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


Information  technology  staff  members  are  required  to  attend  training  for 
monitoring  network-based  access  to  systems  and  networks  and  using 
monitoring  and  auditing  tools. 


□  Current  □  Change 


Information  technology  staff  members  can  attend  training  for  monitoring 
network-based  access  to  systems  and  networks  and  using  monitoring  and 
auditing  tools  if  they  request  it. 


□  Current  □  Change 


The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  training  for  monitoring  network-based 
access  to  systems  and  networks  and  using  monitoring  and  auditing  tools. 
Information  technology  staff  members  learn  about  monitoring  systems  and 
networks  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 
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10.  Monitoring  and  Auditing  IT  Security 


Stoplight  Status 


Third  Party  A:_ 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 
Step  29-  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

'  '  J  °  .  ....  t  i  r_ . . . tn  thiv  third  nnrtv  f 


Collaborative  Issues 


BPPMBM 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization’s  requirements  for  monitoring  information  technology  Q  Current  O  Change 

security  are  formally  communicated  to  all  contractors  and  service  providers 

that  monitor  systems  and  networks.  _ 


The  organization’s  requirements  for  monitoring  information  technology  □  Current  □  Change 

security  are  informally  communicated  to  all  contractors  and  service  providers 

that  monitor  systems  and  networks.  _______  _ 


The  organization’s  requirements  for  monitoring  information  technology 
security  are  not  communicated  to  all  contractors  and  service  providers  that 
monitor  systems  and  networks. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  information  technology  security. 


The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  monitoring  information  technology  security. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  information  technology  security.  _ _ 

_ □  Current  □  Change 
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10.  Monitoring  and  Auditing  IT  Security 

Third  Party  B: _ — 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Step  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: _ 

The  organization’s  requirements  for  monitoring  information  technology  □  Current  □  Change 

security  are  formally  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 

The  organization’s  requirements  for  monitoring  information  technology  □  Current  □  Change 

security  are  informally  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 

The  organization’s  requirements  for  monitoring  information  technology  □  Current  □  Change 

security  are  not  communicated  to  all  contractors  and  service  providers  that 
monitor  systems  and  networks. 

_ □  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  arebeing  met? 


Step  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  information  technology  security. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  Q  Change 

have  met  the  requirements  for  monitoring  information  technology  security. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  monitoring  information  technology  security. 

_ _ □  Current  □  Change 


Verification 


Collaborative  Issues 
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11.  Authentication  and  Authorization  Stoplight  Status 

Step  25:  Who  is  currently  responsible  for  authentication  and  authorization? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  authentication  and  authorization? 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  authentication  and  authorization. 


Responsibility 


□  Current  □  Change 


£  -g 

2  i 

tu  u 


Implementing  access  controls  (e.g.,  file  permissions,  network 
configuration)  to  restrict  user  access  to  information,  sensitive  systems, 
specific  applications  and  services,  and  network  connections 

Implementing  user  authentication  (e.g.,  passwords,  biometrics)  to  restrict 
user  access  to  information,  sensitive  systems,  specific  applications  and 
services,  and  network  connections 

Establishing  and  terminating  access  to  systems  and  information  for  both 
individuals  and  groups 


□  □□□□□ 

□  □□□□□ 

□  □□□□□ 
□  □□□□□ 


□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□  □  □ 

□ 

□ 

□ 

□  □  □ 
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Combined 


Protection  Strategy  Worksheet 


11.  Authentication  and  Authorization 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 
Do  you  want  to  make  any  additional  changes  to  howprocedures  are  documented  for  this  area? 


Procedures 


Step  25 


Step  29 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


The  organization  has  formally  documented  authorization  and  authentication  □ 
procedures  for  restricting  user  access  to  information,  sensitive  systems, 
specific  applications  and  services,  and  network  connections. 

The  organization  has  some  formally  documented  authorization  and  □ 

authentication  procedures  for  restricting  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections.  Some 
procedures  in  this  area  are  informal  and  undocumented. 

The  organization  has  informal  and  undocumented  authorization  and  □ 

authentication  procedures  for  restricting  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections. 


Current 


Change 


Current  □  Change 


Current 


Current 


Change 


Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area  ? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area  ? 


Training  _ _ _ 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

Information  technology  staff  members  are  required  to  attend  training  for  □  Current  □  Change 

implementing  technological  measures  to  restrict  user  access  to  information, 
sensitive  systems,  specific  applications  and  services,  and  network 
connections.  _ _ 

Information  technology  staff  members  can  attend  training  for  implementing  □  Current 
technological  measures  to  restrict  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections  if  they 
request  it.  _ _ _ _ 

The  organization  generally  does  not  provide  opportunities  for  information  □  Current 
technology  staff  members  to  attend  training  for  implementing  technological 
measures  to  restrict  user  access  to  information,  sensitive  systems,  specific 
applications  and  services,  and  network  connections.  Information  technology 
staff  members  learn  about  authentication  and  authorization  on  their  own. 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  Q  Change 
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11.  Authentication  and  Authorization 


Stoplight  Status 


Third  Party  A: _ _ _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requi rements  to  this  third  party . 


Collaborative  Issues  _ _ 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area: 

The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  formally  communicated  to  all  contractors  and  service 
providers  that  provide  authentication  and  authorization  services. 

The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  informally  communicated  to  all  contractors  and  service 
providers  that  monitor  systems  and  networks. 

The  organization’s  requirements  for  controlling  access  to  systems  and 
information  are  not  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29 *  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Verification 


i 


Step : 


Step  2‘J 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area: 


The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  authentication  and  authorization. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  authentication  and  authorization. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  authentication  and  authorization. 

_ □  Current  □  Change 


CMU/SEI-2003-HB-003  Volume  9 


Protection  Strategy  Worksheet 


11.  Authentication  and  Authorization 

Third  Party  B: - - - 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third 


Step  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: _ 

The  organization’s  requirements  for  controlling  access  to  systems  and  Q  Current 

information  are  formally  communicated  to  all  contractors  and  service 
providers  that  provide  authentication  and  authorization  services. 

The  organization’s  requirements  for  controlling  access  to  systems  and  □  Current 

information  are  informally  communicated  to  all  contractors  and  service 
providers  that  monitor  systems  and  networks. 

The  organization’s  requirements  for  controlling  access  to  systems  and  □  Current 

information  are  not  communicated  to  all  contractors  and  service  providers 
that  monitor  systems  and  networks. 

_ _  □  Current 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Step  25  Step  29 


□  Current  □  Change 

□  Current  □  Change 

□  Current  □  Change 

□  Current  □  Change 


Verification  _ 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have 
met  the  requirements  for  authentication  and  authorization. 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  authentication  and  authorization. 

The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  authentication  and  authorization. 


□  Change 


□  Change 


□  Change 


□  Change 


Collaborative  Issues 
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12.  Vulnerability  Management  Stoplight  Status 

Step  25:  Who  is  currently  responsible  for  vulnerability’  management? 

Step  29 -  Will  any  mitigation  activities  change  responsibility  for  vulnerability  management? 

Do  you  want  to  make  any  additional  changes  effecting  responsibility  for  vulnerabthtymanagemen 


Step  25  Step  29 


1  _  i 

Internal  ^  I 

n 

c 

External  3 

3 

Combined 

Internal  ^  I 

n 

External  § 

% 

Combined 

Selecting  vulnerability  evaluation  tools,  checklists,  and  scripts 

a 

□ 

□ 

a 

a 

a 

Scheduling  and  performing  technology  vulnerability  evaluations  on  a 
periodic  basis 

a 

□ 

a 

a 

a 

□ 

Keeping  up  to  date  with  known  vulnerability  types  and  attack  methods 

a 

a 

a 

□ 

□ 

a 

Reviewing  sources  of  information  on  vulnerability  announcements,  security 
alerts,  and  notices 

a 

□ 

□ 

a 

a 

a 

Interpreting  the  results  of  technology  vulnerability  evaluations 

□ 

a 

□ 

a 

a 

a 

Addressing  technology  vulnerabilities  that  are  identified 

a 

a 

a 

□ 

□ 

□ 

Maintaining  secure  storage  and  disposition  of  technology  vulnerability  data 

□ 

a 

□ 

a 

a 

a 

a 

□ 

a 

a 

a 

a 

□ 

□ 

□ 

a 

□ 

a 

a 

a 

a 

a 

a 

□ 
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Protection  Strategy  Worksheet 


12.  Vulnerability  Management 


Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented  ? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 


Procedures 


IMm 

Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area 


The  organization  has  formally  documented  vulnerability  management 
procedures. 

a 

Current 

a 

Change 

The  organization  has  some  formally  documented  vulnerability  management 
procedures.  Some  procedures  in  this  area  are  informal  and  undocumented. 

a 

Current 

a 

Change 

The  organization  has  informal  and  undocumented  vulnerability  management 
procedures. 

a 

Current 

a 

Change 

a 

Current 

□ 

Change 

Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 


Training 


bhhbi 

Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 


Information  technology  staff  members  are  required  to  attend  training  for  □  Current  □  Change 

managing  technology  vulnerabilities  and  using  vulnerability  evaluation  tools. 


Information  technology  staff  members  can  attend  training  for  managing 
technology  vulnerabilities  and  using  vulnerability  evaluation  tools  if  they 
request  it. 


□  Current  □  Change 


The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  training  for  managing  technology 
vulnerabilities  and  using  vulnerability  evaluation  tools.  Information 
technology  staff  members  learn  about  vulnerability  management  on  their 
own. 


□  Current  □  Change 


□  Current  □  Change 
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12.  Vulnerability  Management 


Stoplight  Status  |  j 


Third  Party  A: _ _ _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29 ■  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements tothisthird, party. 


Collaborative  Issues  _  _ ' 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  vulnerability  management  requirements  are  formally 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 

The  organization’s  vulnerability  management  requirements  are  informally 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 

The  organization’s  vulnerability  management  requirements  are  not 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29-  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
'  Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met. 


Verification  _  _ 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area : _ _ _ _ _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  vulnerability  management.  _ _ _ _ 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  vulnerability  management.  _ 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  vulnerability  management.  _ _ _ 

_  □  Current  □  Change 
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Protection  Strategy  Worksheet 


12.  Vulnerability  Management 


Third  Party  B: _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues  _ 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  vulnerability  management  requirements  are  formally 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 

The  organization’s  vulnerability  management  requirements  are  informally 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 

The  organization’s  vulnerability  management  requirements  are  not 
communicated  to  all  contractors  and  service  providers  that  manage 
technology  vulnerabilities. 


Step  25  Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Step  25  H  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area:  _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  vulnerability  management. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  vulnerability  management. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  vulnerability  management. 

_ _ _ _ _ _ _  □  Current  □  Change 


Verification 


OCTAVE-S  V1.0 


13.  Encryption 


Stoplight  Status  i 


Step  25:  Who  is  currently  responsible  for  encryption? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  encryption? 

Do  you  want  to  make  any  additional  changes  affecting^  responsibility  for 


Responsibility 


encryption? 


Step  29 


□  Current  □  Change 


Implementing  encryption  technologies  to  protect  sensitive  information  that  O  □ 
is  electronically  stored  and  transmitted  (e.g.,  data  encryption,  public  key 
infrastructure,  virtual  private  network  technology) _ _ _ 

Implementing  encrypted  protocols  for  remotely  managing  systems,  routers,  □  □ 

and  firewalls  - - - - 


ca 

E  X>  F  £ 

S  £  g  2 

UJ  6  £  W 


□  □  □ 


□ 

□ 

□ 

□ 

□ 

□ 

a 

a 

a 

a 

a 

a 

a 

□ 

□ 

a 

□ 

a 

a 

□ 

a 

a 

□ 

a 

a 

a 

a 

a 

□ 

a 

Step  25:  To  what  extent  are  procedures  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  procedures  are  formally  documented  for  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  procedures  are  documented  forthis  area. 


Procedures  _ ^ _ 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

The  organization  has  formally  documented  procedures  for  implementing  and 
using  encryption  technologies.  _ _ _ _ _ 


The  organization  has  some  formally  documented  procedures  for 
implementing  and  using  encryption  technologies.  Some  procedures  in  this 
area  are  informal  and  undocumented.  _ ,  _ 

The  organization  has  informal  and  undocumented  procedures  for 
implementing  and  using  encryption  technologies. _ 


[ili] 
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Protection  Strategy  Worksheet 


13.  Encryption 


Step  25:  To  what  extent  are  IT  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 


Information  Technology  Staff  Training 


eBHHH 

Step  25 

■ 

Step  29 

If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  grew 


Information  technology  staff  members  are  required  to  attend  training  for 
implementing  encryption  technologies. 


□  Current  □  Change 


Information  technology  staff  members  can  attend  training  for  implementing 
encryption  technologies  if  they  request  it. 


□  Current  □  Change 


The  organization  generally  does  not  provide  opportunities  for  information 
technology  staff  members  to  attend  training  for  implementing  encryption 
technologies.  Information  technology  staff  members  learn  about 
implementing  encryption  technologies  on  their  own. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area  ? 


Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

—  (i  i  «  *  i  f  .  .  .  7 _ _ .  ir t  1 


Staff  Training 


IHHHi 

Step  25 

■ 

Step  29 

All  staff  members  are  required  to  attend  training  for  using  encryption  □  Current  □  Current 

technologies.  _ _ _ 


All  staff  members  can  attend  training  for  using  encryption  technologies  if  □  Current  □  Current 
they  request  it.  _ _ _ 


The  organization  generally  does  not  provide  opportunities  for  staff  members  □  Current  □  Change 
to  attend  training  for  using  encryption  technologies.  Staff  members  learn 
about  using  encryption  technologies  on  their  own. 


□  Current  □  Change 
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Stoplight  Status  _ | 


13.  Encryption  Stopl.ght  status 

Third  Party  A: _ _ _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 
Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Collaborative  Issues 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  requirements  for  protecting  sensitive  information  are 
formally  communicated  to  all  contractors  and  service  providers  that  provide 
encryption  technologies. 

The  organization’s  requirements  for  protecting  sensitive  information  are 
informally  communicated  to  all  contractors  and  service  providers  that  provide 
encryption  technologies. 

The  organization’s  requirements  for  protecting  sensitive  information  are  not 
communicated  to  all  contractors  and  service  providers  that  provide  encryption 
technologies. 


Step  25 


Step  29 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Slop  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsiblefor  this  area: _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  implementing  encryption  technologies. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  implementing  encryption  technologies. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  implementing  encryption  technologies. 

_ □  Current  □  Change 


Verification 


72 


CMU/SEI-2003-HB-003  Volume  9 
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13,  Encryption 

Third  Party  B: _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


Step  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization’s  requirements  for  protecting  sensitive  information  are  □  Current  □  Change 

formally  communicated  to  all  contractors  and  service  providers  that  provide 
encryption  technologies. 

The  organization’s  requirements  for  protecting  sensitive  information  are  □  Current  □  Change 

informally  communicated  to  all  contractors  and  service  providers  that  provide 
encryption  technologies. 

The  organization’s  requirements  for  protecting  sensitive  information  are  not  □  Current  □  Change 

communicated  to  all  contractors  and  service  providers  that  provide  encryption 

technologies. 

_  □  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area  ? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met  ? 


Step  25  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  implementing  encryption  technologies. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current 
have  met  the  requirements  for  implementing  encryption  technologies. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current 
met  the  requirements  for  implementing  encryption  technologies. 

_ _ _ _ - _  □  Current  □  Change 


□  Change 

□  Change 


Verification 


Collaborative  Issues 
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14.  Security  Architecture  and  Design  Stoplight  Status 

Step  25:  Who  is  currently  responsible  for  security  architecture  and  design  ? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  security  architecture  and  design  ? 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  security  architecture  and  design. 


Responsibility 


Step  25 


Step  29 


Designing  security  controls  in  new  and  revised  systems  and  networks 


□  Current  □  Change 


*—  ca  c  rs  cs 

c  E  x>  c  E 

t-  S  C  ft  <D 

a)  *5  £  w 

£  w  3  £  w 


□  □□□□□ 


Documenting  and  revising  diagrams  that  show  the  enterprise-wide  security  □□□□□□ 
architecture  and  network  topology 


a 

a 

a 

a 

□ 

□ 

a 

□ 

a 

a 

□ 

a 

□ 

□ 

a 

a 

□ 

a 

a 

a 

□ 

a 

□ 

a 

a 

a 

a 

a 

a 

a 

a 

a 

□ 

a 

□ 

a 

□ 

a 

a 

a 

□ 

□ 

a 

□ 

a 

a 

□ 

□ 
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Protection  Strategy  Worksheet 


14.  Security  Architecture  and  Design 


Step  25:  To  what  extent  are  practices  for  this  area  formally  documented? 

Step  29:  Will  any  mitigation  activities  change  the  extent  to  which  practices  are  formally  documented  for  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  practices  are  documented  for  this  area? 


Procedures  _ 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: 

The  organization  has  formally  documented  security  architecture  and  design 
practices. 

The  organization  has  some  formally  documented  security  architecture  and 
design  practices.  Some  practices  in  this  area  are  informal  and  undocumented. 

The  organization  has  informal  and  undocumented  security  architecture  and 
design  practices. 


Step  25 


Step  29 


□ 

Current 

a 

Change 

□ 

Current 

□ 

Change 

a 

Current 

□ 

Change 

a 

Current 

a 

Change 

Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area  ? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area  ?  _ 


Training  _ 


If  staff  from  your  organization  is  partly  or  completely  responsible  for  this  area: _ _ 

Staff  members  are  required  to  attend  training  for  designing  secure  systems  □  Current  □  Change 

and  networks. 

Staff  members  can  attend  training  for  designing  secure  systems  and  networks  Q  Current  □  Change 

if  they  request  it. 

The  organization  generally  does  not  provide  opportunities  for  staff  members  □  Current  □  Change 

to  attend  training  for  designing  secure  systems  and  networks.  Staff  members 
learn  about  security  architecture  and  design  on  their  own. 

_ _ _ _  □  Current  □  Change 
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14.  Security  Architecture  and  Design 
Third  Party  A: _ _ 


Stoplight  Status 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 
Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

1  _  y  °  .  ....  .  *  .  i  _  _ _ ♦  _ : _ _ 


Collaborative  Issues 


mmm 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization’s  security-related  requirements  are  formally  communicated  □  Current  □  Change 
to  all  contractors  and  service  providers  that  design  systems  and  networks. 


The  organization’s  security-related  requirements  are  informally 
communicated  to  all  contractors  and  service  providers  that  design  systems 
and  networks. 


□  Current  □  Change 


The  organization’s  security-related  requirements  are  not  communicated  to  all  □  Current  □  Change 
contractors  and  service  providers  that  design  systems  and  networks. 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Step  25  m  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: _ 

The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  security  architecture  and  design. 

The  organization  informally  verifies  that  contractors  and  service  providers  □  Current  □  Change 

have  met  the  requirements  for  security  architecture  and  design. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 

met  the  requirements  for  security  architecture  and  design. 

_  □  Current  □  Change 


Verification 
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14.  Security  Architecture  and  Design 

Third  Party  B: - - — 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? _ 
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15.  Incident  Management  stopiii 

Step  25:  Who  is  currently  responsible  for  incident  management? 

Step  29:  Will  any  mitigation  activities  change  responsibility  for  incident  management? 

Do  you  want  to  make  any  additional  changes  affecting  responsibility  for  incident  management  ? 


Stoplight  Status  [  | 


CMU/SEI-2003-HB-003  Volume  9 


Combined 


Protection  Strategy  Worksheet 


Procedures 


If  staff from  your  organization  is  partly  or  completely  responsible  for  this  area: 

The  organization  has  formally  documented  incident  management  procedures.  □  Current  □  Change 


The  organization  has  some  formally  documented  incident  management 
procedures.  Some  procedures  in  this  area  are  informal  and  undocumented. 


□  Current  □  Change 


The  organization  has  informal  and  undocumented  incident  management  □  Current  □  Change 

procedures. 

_ _  □  Current  □  Change 


Step  25:  To  what  extent  are  staff  members  required  to  attend  training  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  the  requirement  for  attending  training  in  this  area? 

Do  you  want  to  make  any  additional  changes  to  the  requirement  for  attending  training  in  this  area  ? 


OCTAVE-S  V1.0 


15.  Incident  Management 
Third  Party  A: _ 


Stoplight  Status 


Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 
Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party? 


Collaborative  Issues 


w— 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization’s  requirements  for  managing  incidents  are  formally 
communicated  to  all  contractors  and  service  providers  that  provide  incident 
management  services. 


□  Current  □  Change 


The  organization’s  requirements  for  managing  incidents  are  informally 
communicated  to  all  contractors  and  service  providers  that  provide  incident 
management  services. 


□  Current  □  Change 


The  organization’s  requirements  for  managing  incidents  are  not 
communicated  to  all  contractors  and  service  providers  that  provide  incident 
management  services. 


□  Current  □  Change 


□  Current  □  Change 


Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 


Verification 


^WHBW 

Step  25 

■ 

Step  29 

If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 


The  organization  formally  verifies  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  managing  incidents. 


The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  managing  incidents. 


□  Current  □  Change 


The  organization  does  not  verify  that  contractors  and  service  providers  have 
met  the  requirements  for  managing  incidents. 


□  Current  □  Change 


□  Current  □  Change 
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15.  Incident  Management 

Third  Party  B:_ _ _ _ 

Step  25:  To  what  extent  does  your  organization  formally  communicate  its  requirements  in  this  area  to  this  third  party? 

Step  29:  Will  any  mitigation  activities  change  how  your  organization  communicates  its  requirements  to  this  third  party  ? 

Do  you  want  to  make  any  additional  changes  to  how  you  communicate  requirements  to  this  third  party? 


|  Collaborative  Issues  ] 

|  Step  25 

Step  29  ^ 

|  If  staff from  a  third  party  is  partly  or  completely  responsible  for  this  area:  1 

The  organization’s  requirements  for  managing  incidents  are  formally 
communicated  to  all  contractors  and  service  providers  that  provide  incident 

□ 

Current 

□  Change 

management  services. 

The  organization’s  requirements  for  managing  incidents  are  informally 
communicated  to  all  contractors  and  service  providers  that  provide  incident 
management  services.  • 

a 

Current 

□  Change 

The  organization’s  requirements  for  managing  incidents  are  not 
communicated  to  all  contractors  and  service  providers  that  provide  incident 

a 

Current 

□  Change 

management  services. 

□ 

Current 

□  Change 

_ 

Step  25:  To  what  extent  does  your  organization  verify  that  this  third  party  is  addressing  requirements  in  this  area? 

Step  29:  Will  any  mitigation  activities  change  how  you  verify  that  this  third  party  is  addressing  requirements  in  this  area? 
Do  you  want  to  make  any  additional  changes  to  how  you  verify  that  requirements  are  being  met? 


Step  25  Step  29 


If  staff  from  a  third  party  is  partly  or  completely  responsible  for  this  area: 

The  organization  formally  verifies  that  contractors  and  service  providers  have 
met  the  requirements  for  managing  incidents. 

The  organization  informally  verifies  that  contractors  and  service  providers 
have  met  the  requirements  for  managing  incidents. 

The  organization  does  not  verify  that  contractors  and  service  providers  have  □  Current  □  Change 
met  the  requirements  for  managing  incidents. 

_ __ _ _ _  □  Current  □  Change 


□  Current  □  Change 

□  Current  □  Change 


Verification 
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Mitigation  Activities  Guide 


5  Mitigation  Activities  Guide 


Phase  3 
Process  S5 
Activity  S5.3 


Mitigation 

Activities 

Guide 

The  Mitigation  Activities  Guide  describes  potential  mitigation  activities  for  each  security 
practice  area.  You  will  find  examples  of  mitigation  activities  related  to  each  security 
practice  area  in  this  guide. 

Security  Practice  Area 

Page 

1.  Security  Awareness  and  Training 

84 

2.  Security  Strategy 

86 

3.  Security  Management 

88 

4.  Security  Policies  and  Regulations 

90 

5.  Collaborative  Security  Management 

92 

6.  Contingency  Planning/Disaster  Recovery 

94 

7.  Physical  Access  Control 

96-97 

8.  Monitoring  and  Auditing  Physical  Security 

98-99 

9,  System  and  Network  Management 

100-101 

10.  Monitoring  and  Auditing  IT  Security 

102-103 

1 1 .  Authentication  and  Authorization 

104-105 

12.  Vulnerability  Management 

106-107 

13.  Encryption 

108-109 

14.  Security  Architecture  and  Design 

110-111 

15.  Incident  Management 

112-113 
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1.  Security  Awareness  and  Training  _ _ Candidate  Mitigation  Activities 


Mitigation  Activity 

Protection  Strategy  Link 

Develop  and  document  a  training  strategy  that  includes  security 
awareness  training  and  security-related  training  for  supported 
technologies. 

Training  Strategy 

Provide  periodic  security  awareness  training  for  all  employees  on  a 
periodic  basis  (e.g..  time(s)  every  years). 

Security  Awareness  Training 

Provide  security  awareness  training  for  new  staff  members  as  part  of 
their  orientation  activities. 

Security  Awareness  Training 

Require  IT  staff  members  to  attend  security-related  training  for  any 
technologies  that  they  support. 

Security-Related  Training  for 
Supported  Technologies 

Enable  IT  staff  members  to  attend  security-related  training  for  any 
technologies  that  they  support. 

Security-Related  Training  for 
Supported  Technologies 

Implement  &  formal  mechanism  for  providing  staff  members  with 
periodic  updates/bulletins  about  important  security  issues. 

Periodic  Security  Updates 

Implement  an  informal  mechanism  for  providing  staff  members  with 
periodic  updates/bulletins  about  important  security  issues. 

Periodic  Security  Updates 

Implement  a  formal  mechanism  for  tracking  and  verifying  that  staff 
members  receive  appropriate  security-related  training. 

Training  Verification 

Implement  an  informal  mechanism  for  tracking  and  verifying  that 
staff  members  receive  appropriate  security-related  training. 

Training  Verification 

Schedule  a  one-time  offering  of  security  awareness  training. 

— 

Send  selected  staff  members  to  training  for  a  specific  technology  (i.e., 
a  limited  or  one-time  offering  in  a  specific  technology). 

— 

Cross  train  selected  staff  members  to  use  specific  information  systems 
and/or  applications.  Cross-trained  staff  members  will  back  up  the 
primary  users  of  those  systems  and/or  applications. 

Cross  train  selected  staff  members  to  provide  specific  skills  or 
services.  Cross-trained  staff  members  will  back  up  the  staff  members 
who  normally  provide  those  skills  or  services. 

Cross  train  selected  IT  staff  members  to  configure  and  maintain 
specific  information  systems,  networks,  and/or  applications.  Cross- 
trained  IT  staff  members  will  back  up  the  primary  administrators  who 
normally  maintain  those  systems,  networks,  and/or  applications. 

Ensure  that  selected  staff  members  understand  how  to  notify  and  work 
with  third  parties  that  own  or  operate  key  systems.  These  people  will 
be  able  to  work  with  third  parties  when  there  are  problems  with 
systems  owned  and/or  operated  by  those  third  parties. 

Mitigation  Activities  Guide 
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|  2.  Security  Strategy 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Implement  &  formal  mechanism  for  integrating 

•  security  considerations  into  business  strategies 

•  business  strategies  and  goals  into  security  strategies  and 
policies 

Business  and  Security  Strategy 
Integration 

Implement  an  informal  mechanism  for  integrating 

•  security  considerations  into  business  strategies 

•  business  strategies  and  goals  into  security  strategies  and 
policies 

Business  and  Security  Strategy 
Integration 

Document  security  strategies,  goals,  and  objectives  for  all  aspects  of 
information  security. 

Documented  Strategies 

Document  the  security  strategies,  goals,  and  objectives  for  selected 
security-related  areas. 

Documented  Strategies 

Incorporate  information  about  the  organization’s  security  strategy  into 
the  organization’s  security-awareness  training  program. 

Staff  Awareness 
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3.  Security  Management  | _  Candidate  Mitigation  Activities 


Mitigation  Activity 

Protection  Strategy  Link 

Document  information  security  roles  and  responsibilities  for  all  staff 
in  the  organization. 

Roles  and  Responsibilities 

Document  information  security  roles  and  responsibilities  for  selected 
staff  members. 

Roles  and  Responsibilities 

Include  a  separate  line  item  for  information  security  activities  in  the 
organization ’s  budget. 

Funding 

Include  a  separate  line  item  for  information  security  activities  in 
organization’s  information  technology  budget. 

Funding 

Use  the  results  of  an  information  security  risk  evaluation  to  determine 
the  level  of  funding  for  information  security  activities. 

Funding 

Document  procedures  for  including  security  considerations  in  the 
organization’s  hiring  and  termination  processes. 

Human  Resource  Procedures 

Document  a  process  for  assessing  and  managing  the  organization’s 
information  security  risks. 

Risk  Management 

Document  a  process  for  assessing  the  organization’s  information 
security  risks. 

Risk  Management 

Incorporate  information  about  the  organization’s  security 
management  process  into  the  organization’s  security-awareness 
training  program. 

Staff  Awareness 

Implement  a  formal  mechanism  for  providing  managers  with 
summaries  of  important  security-related  information. 

Management  Awareness 

Implement  an  informal  mechanism  for  providing  managers  with 
summaries  of  important  security-related  information. 

Management  Awareness 
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4.  Security  Policies  and  Regulations  j 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Document  a  comprehensive  set  of  security-related  policies. 

Documented  Policies 

Document  security-related  policies  for  selected  areas. 

Documented  Policies 

Implement  a  formal  mechanism  for  creating  and  updating  security- 
related  policies. 

Policy  Management 

Implement  a  formal  mechanism  for  creating  security-related  policies. 

Policy  Management 

Implement  formal  procedures  for  enforcing  security-related  policies. 

Policy  Enforcement 

Incorporate  information  about  the  organization’s  security  policies  and 
regulations  into  the  organization’s  security-awareness  training 
program. 

Staff  Awareness 

Document  procedures  for  complying  with  all  information  security 
policies,  applicable  laws  and  regulations,  and  insurance  requirements. 

Policy  and  Regulation 

Compliance 

Document  procedures  for  complying  with  selected  security  policies, 
applicable  laws  and  regulations,  and  insurance  requirements. 

Policy  and  Regulation 

Compliance 
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Mitigation  Activity 

Protection  Strategy  Link 

Document  policies  and  procedures  for  protecting  information  when 
working  with  collaborators  and  partners. 

Collaborators  and  Partners 

Document  policies  and  procedures  for  protecting  information  when 
working  with  contractors  and  subcontractors. 

Contractors  and  Subcontractors 

Document  policies  and  procedures  for  protecting  information  when 
working  with  service  providers. 

Service  Providers 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  information  protection  requirements  to  all  appropriate 
third  parties. 

Requirements 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  information  protection  requirements  to  all  appropriate 
third  parties. 

Requirements 

Implement  &  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  all  third-party  organizations,  outsourced  security 
services,  mechanisms,  and  technologies  meet  the  organization  s 
information  protection  requirements. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  all  third-party  organizations,  outsourced  security 
services,  mechanisms,  and  technologies  meet  the  organization’s 
information  protection  requirements. 

Verification 

Incorporate  information  about  the  organization’s  policies  and 
procedures  for  collaborative  security  management  into  the 
organization’s  security-awareness  training  program. 

Staff  Awareness 
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6.  Contingency  Planning/Disaster  Recovery  | 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Perform  an  analysis  defining  the  criticality  of  all  operations, 
applications,  and  data. 

Business  Operations  Analysis 

Perform  an  analysis  defining  the  criticality  of  selected  operations, 
applications,  and/or  data. 

Business  Operations  Analysis 

Document  business  continuity  or  emergency  operation  plans,  disaster 
recovery  plan(s),  and  contingency  plan(s)  for  responding  to 

Documented  Plans 

emergencies. 

Document  a  subset  of  the  following  plans  for  responding  to 
emergencies:  business  continuity  or  emergency  operation  plans, 
disaster  recovery  plan(s),  and  contingency  plan(s). 

Documented  Plans 

Formally  test  the  organization’s  business  continuity  or  emergency 
operation  plans,  disaster  recovery  plan(s),  and  contingency  plan(s)  for 
responding  to  emergencies. 

Tested  Plans 

Formally  test  a  subset  of  the  following  plans  for  responding  to 
emergencies:  business  continuity  or  emergency  operation  plans, 
disaster  recovery  plan(s),  and  contingency  plan(s). 

Tested  Plans 

Incorporate  contingency  plans  into  the  organization’s  disaster 
recovery  and  business  continuity  plans  for  accessing  critical 
information. 

Information  Access 

Incorporate  information  about  the  organization’s  contingency,  disaster 
recovery,  and  business  continuity  plans  into  the  organization’s 

Staff  Awareness 

security-awareness  training  program. 

Document  a  disaster  recovery  plan  for  a  specific  system  maintained 
by  the  information  technology  staff. 

--- 

Develop  a  disaster  recovery  plan  for  a  specific  system  maintained  by  a 
third  party. 

— 

Document  a  business  continuity  plan  for  specific  business  processes. 

— 

Purchase  insurance  for  any  security  problems  related  to  a  specific 
system. 

— 

Configure  and  maintain  a  hot  backup  for  a  system. 

— 

Configure  and  maintain  a  cold  backup  for  a  specific  system. 

— 
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7.  Physical  Access  Control  | 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  controlling  physical  access  to  the  building 
and  premises  (e.g.,  controlling  visitor  access). 

Responsibility 

Change  responsibility  for  controlling  physical  access  to  work  areas 
(e.g.,  controlling  staff  and  visitor  access). 

Responsibility 

Change  responsibility  for  controlling  physical  access  to  IT  hardware. 

Responsibility 

Change  responsibility  for  controlling  physical  access  to  software 
media. 

Responsibility 

Document  formal  procedures  for  controlling  physical  access  to  the 
building  and  premises,  work  areas,  IT  hardware,  and  software  media. 

Procedures 

Send  selected  staff  members  to  training  for  controlling  physical  access 
to  the  building  and  premises,  work  areas,  IT  hardware,  and  software 
media. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  physical  access 
control  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  physical  access 
control  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  physical  access 
control  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  physical  access 
control  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 
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8.  Monitoring  and  Auditing  Physical  Security 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  keeping  maintenance  records  that  document 
repairs  and  modifications  to  IT  hardware. 

Responsibility 

Change  responsibility  for  monitoring  physical  access  to  controlled  IT 
hardware 

Responsibility 

Change  responsibility  for  monitoring  physical  access  to  controlled  IT 
software  media. 

Responsibility 

Change  responsibility  for  monitoring  physical  access  to  restricted 
work  areas. 

Responsibility 

Change  responsibility  for  reviewing  monitoring  records  on  a  periodic 
basis. 

Responsibility 

Change  responsibility  for  investigating  and  addressing  any  unusual 
activity  that  is  identified. 

Responsibility 

Document  formal  procedures  for  monitoring  physical  access  to  the 
building  and  premises,  work  areas,  IT  hardware,  and  software  media. 

Procedures 

Send  selected  staff  members  to  training  for  monitoring  physical 
access  to  the  building  and  premises,  work  areas,  IT  hardware,  and 
software  media. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  monitoring 
physical  security  to  all  appropriate  contractors,  service  providers,  and 
third  parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  monitoring 
physical  security  to  all  appropriate  contractors,  service  providers,  and 
third  parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  monitoring  physical 
security  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  monitoring  physical 
security  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

98 


CMU/SEI-2003-HB-003  Volume  9 


Mitigation  Activities  Guide 


Candidate  Mitigation  Activities 


|  8.  Monitoring  and  Auditing  Physical  Security 


Mitigation  Activity 


Protection  Strategy  Link 


Install  video  cameras  in  designated  areas  of  the  premises. 


Retain  the  services  of  security  guards  to  monitor  activity  on  the 
premises. 

Implement  sign-in  sheets  to  log  visitors’  access  to  the  building  and/or 
designated  work  areas. 


Implement  card  access  to  log  physical  access  to  the  building  and/or 
designated  work  areas. 

Arrange  a  meeting  with  all  appropriate  contractors,  service  providers, 
and  third  parties  to  communicate  requirements  for  monitoring 
physical  security  in  the  organization  and  to  verify  that  those 
requirements  have  been  met. 
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9.  System  and  Network  Management  ” | 

Candidate  Mitigation  Activities 

Mitigation  Activity  _ 

Protection  Strategy  Link 

Change  responsibility  for  configuring  IT  hardware  and  software. 

Responsibility 

Change  responsibility  for  securely  storing  sensitive  information  (e.g., 
backups  stored  offsite,  process  for  discarding  sensitive  information). 

Responsibility 

Change  responsibility  for  checking  the  integrity  of  installed  software. 

Responsibility 

Change  responsibility  for  keeping  systems  up  to  date  with  respect  to 
revisions,  patches,  and  recommendations  in  security  advisories. 

Responsibility 

Change  responsibility  for  making  and  tracking  changes  to  IT 
hardware  and  software. 

Responsibility 

Change  responsibility  for  managing  passwords,  accounts,  and 
privileges. 

Responsibility 

Change  responsibility  for  selecting  system  and  network  management 
tools. 

Responsibility 

Document  formal  procedures  for  managing  systems  and  networks. 

Procedures 

Send  selected  staff  members  to  training  for  managing  systems  and 
networks. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  secure  system  and 
network  management  to  all  appropriate  contractors,  service  providers, 
and  third  parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  secure  system  and 
network  management  to  all  appropriate  contractors,  service  providers, 
and  third  parties.  Assign  responsibility  for  working  directly  with 
those  contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  secure  system  and 
network  management  have  been  met  by  all  appropriate  contractors, 
service  providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  secure  system  and 
network  management  have  been  met  by  all  appropriate  contractors, 
service  providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 

Verification 
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10.  Monitoring  and  Auditing  IT  Security  | 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  using  system  and  network  monitoring  tools 
to  track  system  and  network  activity. 

Responsibility 

Change  responsibility  for  periodically  auditing  the  firewall  and  other 
security  components  for  compliance  with  policy. 

Responsibility 

Change  responsibility  for  investigating  and  addressing  any  unusual 
activity  that  is  identified. 

Responsibility 

Document  formal  procedures  for  monitoring  network  access  to 
systems  and  networks. 

Procedures 

Send  selected  staff  members  to  training  for  monitoring  network  access 
to  systems  and  networks. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  monitoring  IT 
security  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  monitoring  IT 
security  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  monitoring  IT 
security  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  monitoring  IT 
security  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

102 


CMU/SEI-2003-HB-003  Volume  9 


Mitigation  Activities  Guide 


Candidate  Mitigation  Activities 


10.  Monitoring  and  Auditing  IT  Security 


CMU/SEI-2003-HB-003  Volume  9 


OCTAVE-S  V1.0 


Mitigation  Activity  _ _ _ _ 


Change  responsibility  for  implementing  access  controls  (e.g.,  file 
permissions,  network  configuration)  to  restrict  user  access  to 
information,  sensitive  systems,  specific  applications  and  services,  and 
network  connections. 

Change  responsibility  for  implementing  user  authentication  (e.g., 
passwords,  biometrics)  to  restrict  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections. 

Change  responsibility  for  establishing  and  terminating  access  to 
systems  and  information  for  both  individuals  and  groups. 


Document  formal  procedures  for  restricting  user  access  to 
information,  sensitive  systems,  specific  applications  and  services,  and 
network  connections. 


Send  selected  staff  members  to  training  for  implementing 
technological  measures  to  restrict  user  access  to  information,  sensitive 
systems,  specific  applications  and  services,  and  network  connections. 


Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  controlling  access 
to  systems  and  information  to  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  controlling  access 
to  systems  and  information  to  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 


Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  controlling  access  to 
systems  and  information  have  been  met  by  all  appropriate  contractors, 
service  providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  controlling  access  to 
systems  and  information  have  been  met  by  all  appropriate  contractors, 
service  providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 


Protection  Strategy  Link 


Responsibility 


Responsibility 


Responsibility 


Procedures 


Training 


Collaborative  Issues 


Collaborative  Issues 
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12.  Vulnerability  Management  j 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  selecting  vulnerability  evaluation  tools, 
checklists,  and  scripts. 

Responsibility 

Change  responsibility  for  scheduling  and  performing  technology 
vulnerability  evaluations  on  a  periodic  basis. 

Responsibility 

Change  responsibility  for  keeping  up  to  date  with  known  vulnerability 
types  and  attack  methods. 

Responsibility 

Change  responsibility  for  reviewing  sources  of  information  on 
vulnerability  announcements,  security  alerts,  and  notices. 

Responsibility 

Change  responsibility  for  interpreting  the  results  of  technology 
vulnerability  evaluations. 

Responsibility 

Change  responsibility  for  addressing  technology  vulnerabilities  that 
are  identified. 

Responsibility 

Change  responsibility  for  maintaining  secure  storage  and  disposition 
of  technology  vulnerability  data. 

Responsibility 

Document  formal  procedures  for  managing  technology  vulnerabilities. 

Procedures 

Send  selected  staff  members  to  training  for  managing  technology 
vulnerabilities. 

Training 

Implement  &  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  managing 
technology  vulnerabilities  to  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  managing 
technology  vulnerabilities  to  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working 
directly  with  those  contractors,  service  providers,  and  third  parties  to 
selected  staff  members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  managing 
technology  vulnerabilities  have  been  met  by  all  appropriate 
contractors,  service  providers,  and  third  parties.  Assign  responsibility 
for  working  directly  with  those  contractors,  service  providers,  and 
third  parties  to  selected  staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  managing 
technology  vulnerabilities  have  been  met  by  all  appropriate 
contractors,  service  providers,  and  third  parties.  Assign  responsibility 
for  working  directly  with  those  contractors,  service  providers,  and 
third  parties  to  selected  staff  members. 

Verification 
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13.  Encryption  ™| 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  implementing  encryption  technologies  to 
protect  sensitive  information  that  is  electronically  stored  and 
transmitted  (e.g.,  data  encryption,  public  key  infrastructure,  virtual 
private  network  technology). 

Responsibility 

Change  responsibility  for  implementing  encrypted  protocols  for 
remotely  managing  systems,  routers,  and  firewalls. 

Responsibility 

Change  responsibility  for  implementing  encrypted  protocols  for 
remotely  managing  systems,  routers,  and  firewalls. 

Responsibility 

Document  formal  procedures  for  implementing  and  using  encryption 
technologies. 

Procedures 

Send  selected  IT  staff  members  to  training  for  implementing 
encryption  technologies. 

Information  Technology  Staff 
Training 

Send  selected  staff  members  to  training  for  using  encryption 
technologies. 

Staff  Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  protecting 
sensitive  information  to  all  appropriate  contractors,  service  providers, 
and  third  parties.  Assign  responsibility  for  working  directly  with 
those  contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  protecting 
sensitive  information  to  all  appropriate  contractors,  service  providers, 
and  third  parties.  Assign  responsibility  for  working  directly  with 
those  contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  protecting  sensitive 
information  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  protecting  sensitive 
information  have  been  met  by  all  appropriate  contractors,  service 
providers,  and  third  parties.  Assign  responsibility  for  working  directly 
with  those  contractors,  service  providers,  and  third  parties  to  selected 
staff  members. 

Verification 

Mitigation  Activities  Guide 


Candidate  Mitigation  Activities  |  _ _ lj^Encryption 

Mitigation  Activity  Protection  Strategy  Link _ 

Implement  encryption  technologies  to  protect  specific  types  of 
information  and/or  systems. 

Arrange  a  meeting  with  all  appropriate  contractors,  service  providers, 
and  third  parties  to  communicate  requirements  for  protecting  sensitive 
information  in  the  organization  and  to  verify  that  those  requirements 
have  been  met. 
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14.  Security  Architecture  and  Design 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  designing  security  controls  in  new  and 
revised  systems  and  networks. 

Responsibility 

Change  responsibility  for  documenting  and  revising  diagrams  that 
show  the  enterprise-wide  security  architecture  and  network  topology. 

Responsibility 

Document  formal  security  architecture  and  design  practices. 

Procedures 

Send  selected  staff  members  to  training  for  designing  secure  systems 
and  networks. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  incorporating 
appropriate  security  features  into  systems  and  networks  to  all 
appropriate  contractors,  service  providers,  and  third  parties.  Assign 
responsibility  for  working  directly  with  those  contractors,  service 
providers,  and  third  parties  to  selected  staff  members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  incorporating 
appropriate  security  features  into  systems  and  networks  to  all 
appropriate  contractors,  service  providers,  and  third  parties.  Assign 
responsibility  for  working  directly  with  those  contractors,  service 
providers,  and  third  parties  to  selected  staff  members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  incorporating 
appropriate  security  features  into  systems  and  networks  have  been  met 
by  all  appropriate  contractors,  service  providers,  and  third  parties. 
Assign  responsibility  for  working  directly  with  those  contractors, 
service  providers,  and  third  parties  to  selected  staff  members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  incorporating 
appropriate  security  features  into  systems  and  networks  have  been  met 
by  all  appropriate  contractors,  service  providers,  and  third  parties. 
Assign  responsibility  for  working  directly  with  those  contractors, 
service  providers,  and  third  parties  to  selected  staff  members. 

Verification 
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15.  Incident  Management 

Candidate  Mitigation  Activities 

Mitigation  Activity 

Protection  Strategy  Link 

Change  responsibility  for  documenting  and  revising  procedures  for 
identifying,  reporting,  and  responding  to  suspected  security  incidents 
and  violations. 

Responsibility 

Change  responsibility  for  documenting  and  revising  policies  and 
procedures  for  working  with  law  enforcement  agencies. 

Responsibility 

Change  responsibility  for  testing  incident  management  procedures  on 
a  periodic  basis. 

Responsibility 

Document  formal  procedures  for  managing  incidents. 

Procedures 

Send  selected  staff  members  to  training  for  managing  incidents. 

Training 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
communicating  the  organization’s  requirements  for  managing 
incidents  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
communicating  the  organization’s  requirements  for  managing 
incidents  to  all  appropriate  contractors,  service  providers,  and  third 
parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Collaborative  Issues 

Implement  a  formal  mechanism  (e.g.,  contract  mechanism)  for 
verifying  that  the  organization’s  requirements  for  managing  incidents 
have  been  met  by  all  appropriate  contractors,  service  providers,  and 
third  parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Verification 

Implement  an  informal  mechanism  (e.g.,  assign  responsibility)  for 
verifying  that  the  organization’s  requirements  for  managing  incidents 
have  been  met  by  all  appropriate  contractors,  service  providers,  and 
third  parties.  Assign  responsibility  for  working  directly  with  those 
contractors,  service  providers,  and  third  parties  to  selected  staff 
members. 

Verification 
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15.  Incident  Management 

Mitigation  Activity 

Protection  Strategy  Link 

Test  current  incident  management  procedures. 

— 

Arrange  a  meeting  with  all  appropriate  contractors,  service  providers, 
and  third  parties  to  communicate  requirements  for  managing  incidents 
in  the  organization  and  to  verify  that  those  requirements  have  been 
met. 
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6  Mitigation  Plan  Worksheet 


Phase  3 
Process  S5 
Activity  S5.3 


Step  28  Develop  mitigation  plans  for  each  security  practice  area  selected  during  Step  27. 

As  you  complete  this  step,  if  you  have  difficulty  coming  up  with  potential  mitigation 

-  activities  for  a  security  practice  area,  review  examples  of  mitigation  activities  for  that  area  in 

the  Mitigation  Activities  Guide. 
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Mitigation  Area: 


Step  2X 


Mitigation  Activity  Rationale _ 

Which  mitigation  activities  are  you  going  to  implement  in  this  Why  did  you  select  each  activity? 
security  practice  area? 


Mitigation  Plan  Worksheet 


Mitigation  Plan  Worksheet 


Mitigation  Responsibility  Additional  Support 


Who  needs  to  be  involved  in  implementing  each  activity?  What  additional  support  will  be  needed  when 

Why?  implementing  each  activity  (e.g.,  funding,  commitment  of 

staff,  sponsorship)? 


OCTAVE-S  V1.0 


Mitigation  Area: 


Step  28 


Mitigation  Activity  Rationale _ _____ 

Which  mitigation  activities  are  you  going  to  implement  in  this  Why  did  you  select  each  activity? 
security  practice  area? 
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Mitigation  Responsibility  Additional  Support 


Who  needs  to  be  involved  in  implementing  each  activity?  What  additional  support  will  be  needed  when 

Why?  implementing  each  activity  (e.g.,  funding,  commitment  of 

staff,  sponsorship)? 


OCTAVE-S  V1.0 


Mitigation  Area: 


Step  28 


Mitigation  Activity 


Rationale 


Which  mitigation  activities  are  you  going  to  implement  in  this 


Why  did  you  select  each  activity 


? 


security  practice  area? 
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7  Next  Steps  Worksheet 


Phase  3 

Process  S5 

Activity  S5.5 

Step  30 

Determine  what  your  organization  must  do  to  implement  the  results  of  this  evaluation  and 
improve  its  security  posture. 
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Step  30 


Management  Sponsorship  for  Security  Improvement _ _ _ _ _ 

What  must  management  do  to  support  the  implementation  of  OCTAVE-S  results? 

Consider  the  following: 

•  Contribute  funds  to  information  security  activities. 

•  Assign  staff  to  information  security  activities. 

•  Ensure  that  staff  members  have  sufficient  time  allocated  to  information  security  activities. 

•  Enable  staff  to  receive  training  about  information  security. 

•  Make  information  security  a  strategic  priority. 
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Next  Steps  Worksheet 


Monitoring  Implementation 


What  will  the  organization  do  to  track  progress  and  ensure  that  the  results  of  this  evaluation  are 
implemented? 


Expanding  the  Current  Information  Security  Risk  Evaluation 

Will  you  expand  the  current  OCTAVE-S  evaluation  to  include  additional  critical  assets?  Which  ones? 


Next  Information  Security  Risk  Evaluation 

When  will  the  organization  conduct  its  next  OCTAVE-S  evaluation? 
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